As more and more providers adopt electronic health records (“EHRs”) systems (and with new regulations concerning their required use for purposes of Medicare billing for chronic care management, their popularity can only continue to grow), a myriad of compliance issues continue to surround them. To that end, the federal government has stepped up auditing programs to ensure compliance with HIPAA/HITECH as well as making sure taxpayer money has been invested wisely through the Meaningful Use program. The bent of these audit programs is clearly along the lines that applicable covered entities and business associates should be preparing with a “when” mindset, rather than “if,” as these audits are going to happen. More >

Earlier this week, information about OCR Phase 2 HIPAA audits was provided. Today, let’s take a look at how to prepare if your entity is selected for an audit:

Confirm that a recent comprehensive Risk Assessment has been completed and documented.

Confirm that all action items identified in the Risk Assessment have received attention and have been completed (or are in the process of being completed).

Verify that policies are up-to-date, including breach notification procedures, notice of privacy practices, and responses to patient requests.

Ensure that a current list of business associates (and their contact information) is readily available.

Because Phase 2 does not consist of on-site visits, there will not be an opportunity for dialogue with auditors. Therefore, it is crucial to ensure that documentation alone shows a complete picture of an entity’s compliance efforts. All documents should be carefully reviewed, dated, and signed before turned over to an auditor. While providing extraneous information is not recommended, it is important to double-check that all requested and necessary information is submitted.

Phase 2 audits set to occur in 2016 will focus on the Security Standard’s encryption and decryption requirements, facility access controls, breach reports and complaints. It is never too early to start considering what protocols, training, and procedures will need to be implemented in anticipation of a possible audit related to these items.

In the event you are selected for a Phase 2 audit and have any questions about your responsibilities or what you can do to ensure a smooth process, contact a McBrayer health care attorney today.

This article is intended as a summary of newly enacted federal and state law and does not constitute legal advice.

In February 2014, the Health and Human Services Office of Civil Rights (“OCR”) announced its plans to send pre-audit surveys to between 550 and 800 entities during the summer in preparation for Phase 2 HIPAA compliance audits. After collecting information from those surveyed, OCR will select about 400 of those entities for actual HIPAA audits. Those audits will begin this fall – which is quickly approaching. More >

Recently, the Department of Justice (“DOJ”) intervened in a qui tam whistleblower suit in the US District Court for the Southern District of new York, which involves Continuum Health Partners and several Mount Sinai-related hospitals. United States ex. Rel. Kane v. Continuum Health Partners, Inc. et al, (Civil Action, No. 11-2325(ER)). While DOJ intervention in whistleblower cases is not unusual, this case is significant because the DOJ’s complaint specifically alleges that the defendants failed to return Medicaid overpayments within 60 days, as required by the Affordable Care Act (“ACA”). The case is one of the first to explore the issues and interpret the requirements of the 60-Day Rule. More >

Are you a health care provider familiar with the challenges of getting paid for services rendered? Is Medicaid making it more complicated? Join the McBrayer health care group and Kentucky Primary Care Association for a discussion about the Medicaid reimbursement process -- disputes, audits, appeals, reconciliations, payment plans, and everything in between. This 2-part series webinar will help you make sense of Medicaid and put you on the road to reimbursement. More >

Health care providers are always at risk of a payor audit, and contracted auditors seem to be more aggressive now than ever. While MIC, MAC, and ZPIC audits as well as pre-payment reviews of late have become more efficient with the use of rules of thumb to flag specific codes commonly misapplied, the U.S. District Court of Vermont’s ruling in Jimmo v. Sebelius puts the brakes on such fishing expeditions. In holding that, in the case of skilled nursing services, there is no “improvement standard” and claims should be reviewed on a case by case basis, the court has limited CMS in its ability to apply arbitrary standards in denying reimbursement for covered services. More >

In 2013, the Department of Justice (“DOJ”) and Office of Inspector General (“OIG”) charged the nation’s largest for-profit hospice chain, Vitas Innovative Hospice Care (“Vitas”), with false Medicare billings, inappropriately admitting patients with “aggressive marketing tactics,” and misleading patients and families about Medicare hospice benefits. This suit is just one of many recently filed against hospice providers, indicating that they are being watched keenly by enforcement authorities and government agencies. More >

On Friday, the U.S. Department of Health and Human Services (HHS) announced a new security risk assessment (“SRA”) tool for small and medium size healthcare providers. The downloadable tool (available for free here) is a self-contained, independent application that is available for Windows and iOS platforms. The SRA works by asking a series of in-depth questions about the provider’s activities and facilities. The “yes” or “no” answer format for each question reveals whether corrective action is needed in a particular area. Additional resources in the SRA help providers understand the risks associated with the use, disclosure and storage of protected health information. The SRA offers providers the opportunity to generate, update and document assessment materials and corrective action plans through the SRA; documentation is especially important for audit purposes. More >

Texting is becoming an increasingly acceptable form of communication in the business world, but can it be relied upon in the health care industry? There are numerous advantages to texting in the fast-paced world of health care. In an environment where time is of the essence, voicemails and pagers can slow down providers’ care and fail to convey adequate information. A text, on the other hand, is both immediate and can be detail-specific. In addition, texting can involve more than one sender and/or receiver in a closed-loop conversation, and, unlike through the paging system, a sender can be notified when the message has been read by the receiver(s). Text messaging can not only improve an entity’s efficiency, but it can also serve as a way to easily connect with patients, thereby improving quality of care. More >